abstracts

This talk aims to explain how iMessage exploitation techniques, as known to the public, have evolved in recent times.

After a brief overview of the iMessage architecture, the talk will recapitulate how memory corruption vulnerabilities could be exploited over iMessage without user interaction up until around 2-3 years ago. It then dives into a set of iMessage hardening measures implemented by Apple since 2020, and how these have affected exploitation. These include various architectural changes, such as the new BlastDoor sandboxing service, as well as specific exploit mitigations to render previous exploitation techniques, for example for bypassing ASLR, ineffective. The talk concludes with a high-level look at how the iMessage exploit caught in-the-wild by Citizenlab in mid-2021 worked and in which ways it was affected by those hardening measures.

2021’s hottest new tech term, according to TechCrunch, was “definitely Web3”. Web3, as its name suggests, is considered by many as the future of the internet: decentralized, permissionless, and based on modern blockchain technology. While Web3 might have a bright future, it’s in the middle of growing pains: A number of Web3 apps were hacked in 2021, leading to theft of cryptoassets valued at hundreds of millions of US Dollars. In this talk we will present Web3 app technology, dissect new attack surfaces, and suggest new and exciting defense mechanisms.

First, we will dive into the technical details of Web3 applications, showing how Web3 technology opens new attack surfaces by moving app functionality onto the blockchain. We will then analyze these newly-exposed attack surfaces by reviewing a few examples we’ve discovered “in the wild.”

While Web3 exposes new attack surfaces, it also provides novel detection opportunities. Specifically, the public and transparent nature of the blockchain allows security researchers to immediately explore full details of any attack and, as a result, leads to quick and thorough discoveries. This is a paradigm shift in security research, as current practices only allow a few to learn actual attack details, only some portions of which are shared publicly. This shift in transparency allowed us to independently explore the aforementioned attacks.

Furthermore, we believe we can do even better and go beyond rapid post-mortem reports. We will show how the same raw data we had previously used for a post-mortem analysis can be analyzed in real-time (or even ante factum by “taking a peek” into the blocks that have yet to be mined) to detect and even prevent attacks. This capability is enabled by the online nature of the blockchain and its inherent block time delays. In fact, we can import, with relevant modifications, many of the principles and learnings of current web defenses, including Web Application Firewall (WAF) into the realm of blockchain. By doing so, we introduce a scheme for a Web3 Application Firewall (W3AF) which can greatly improve Web3 security and blockchain-based apps.

NTLM “Relaying” is a well known replay attack for Windows systems in which the attacker performs a man in the middle and acts on behalf of the victim while communicating with a remote server by altering the network packets. In recent years, all of the research and mitigations have been done on the most used protocols which use NTLM as an authentication mechanism like SMB, LDAP, HTTP... What about RPC? RPC is a protocol heavily used internally by Windows systems for inter process communication and to support all the COM/DCOM protocol.

In this talk, we will uncover this unexplored attack surface and demonstrate a novel way of performing NTLM relay attacks based on the RPC/DCOM protocols. Within this talk, we will show our tool to exploit this vulnerability and enable further scenarios of exploitation especially in Active Directory environments: the RemotePotato0. This changes the approach of attacking Windows servers in which multiple users are logged on. RemotePotato0 will allow stealing and relaying authentications to remote privileged resources even from an unprivileged user thus allowing to achieve privilege escalation and to break the multi-user security model of Windows systems.

Cloud is the new operating system of the internet - almost all companies use the cloud to host services and data. While there are many talks about how to configure and maintain secure public cloud environments, there’s little security research into the core cloud infrastructure, and vulnerabilities in core services could have a big impact on customers.

This talk gets into the specifics of an elegant vulnerability we found in the AWS CloudFormation service, an XXE that led to local file disclosure and SSRF, allowing us to read sensitive data. Also, we will get into the potential impact on AWS customers, the disclosure process with a major cloud provider, and how we ensured it was patched.

We will discuss the anatomy of this new type of cloud provider service vulnerability, the inherent security risks involved when using cloud services, and future research avenues.

In the past few years, our industry has evolved a lot in our journey to improve security and mitigate memory safety. One of the key efforts is introducing new dedicated silicon that gives us guarantees and new abilities to rely on at the architectural level. Some examples are HLAT, PAC, MTE, CHERI, and many other hardware security features in Apple CPUs (KTRR, SPRR, etc.). Memory tagging is an interesting extension to the ARM CPUs. It gives us new kinds of primitives we didn’t have before regarding how we interact with memory.

In this talk, I will present a security analysis of MTE and review which security guarantees are provided by the architecture and how compilers and software can use these to enforce a new level of mitigation in legacy code. This is an interesting process, mainly because MTE was originally designed for at-scale detection of bugs, not for memory safety mitigations purposes.

To get a better and deeper understanding, we will go down the rabbit hole and develop an exploit on the latest Ubuntu in QEMU with the necessary support for MTE in place. We will reveal the impact of MTE during the exploitation process, alongside the areas still interesting for security research that might be a critical Achilles’ heel of MTE-based mitigations.

Finally, I will share the takeaways from this research and discuss the possible impact MTE might have on memory safety in the long term.

During our everyday life as reverse engineers we dive into malware samples and analyze them one by one day after day. Sometimes however, it’s good to take a step back, take a look at the bigger picture and try to generate deeper insights. This way we can gain better understanding of a specific threat actor, general malicious behavior, and defense failures.

Over the past 18 months Mandiant had been tracking a fascinating Chinese affiliated threat group dubbed UNC215. This is a group that has been focusing on Middle Eastern targets recently and were even operating an elaborate espionage campaign against Israel Government in the past two years. We have analyzed many malware samples attributed to this group and were able to collect a lot of technical information about the structure of their tools and their evolution. We have seen the actor operating in an elegant and precise fashion, employing clean up and evasion techniques. We were also able to acquire a lot of data points about the group’s technical wins.

During this session we will discuss our analysis and use it to describe valuable insights we gained about the group’s capabilities and modus operandi. Well also draw conclusions about common mistakes made by defenders. Our presentation will include a walkthrough of specific tools and code samples, discussion of vulnerabilities and exploits used by the threat actor with emphasis on the actor’s strengths and weaknesses. We will also describe the technical bulk analysis that we used which allowed us to turn technical research into actionable intelligence data.

It’s not just you. The frequency of severe vulnerabilities in internet-facing enterprise software being massively exploited at scale has increased drastically. The amount of time between disclosure and exploitation of these vulnerabilities has been reduced to near-zero, leaving defenders with less time to react and respond. While combating internet-wide opportunistic exploitation is a sprawling and complex problem, there is both an art and a science to staying ahead of large exploitation events such as Log4J.

In this talk we will share insights and challenges from operating a huge, shifting, adaptive, distributed sensor network listening to internet background noise and opportunistic exploitation traffic over the past four years. We will give a blunt state of the universe on mass exploitation. We will share patterns and unexplainable phenomena we’ve experienced across billions of internet scans. And we will make recommendations to defenders for preparing for the next time the cyber hits the fan.

Today, there are many different blockchains storing billions of dollars, each with its unique use cases and qualities.

In order for these blockchains to communicate with each other, cross-chain bridges have been created.

In this talk, we'll review the basics of how cross-chain bridges work, and dive into vulnerability research I've conducted on the Polygon PoS bridge that resulted in finding a vulnerability that once exploited, allows stealing billions of dollars locked in the bridge.

Not so long ago a good friend of mine complained about a strange phenomenon - since the installation of his newly advanced intercom, he started to receive some weird phone calls in the middle of night. On top of this, when he answers these strange calls, the associated intercom mobile application in his smartphone is opened and he sees the interior of random offices around the world. Intrigued, I started to investigate further in order to find out what is going on..

In this talk, I will take you through my adventure to understand what happened that night and how I completed the research with a PWN of the entire intercom system. I will explain how modern intercoms are working, what kind of new features they hold, and how I was able to PWN a popular intercom brand (V-TEC) and bypass their security features to get remote access to the video feed (camera) and door control (lock) of ALL the cloud connected V-TEC intercoms worldwide. Through the talk I will also elaborate on all the involved technologies and protocols related to modern cloud-based intercoms and VOIP communications - the delivery of voice communications and multimedia sessions over the internet. This includes SIP, SDP, STUN, and RTP to name a few.

Microsoft Defender for Endpoint (MDE) invests in cross-platform protection, including Linux, Android and macOS. To better understand macOS security, the research team has examined each security feature and tested their learnings to the limit.

In this talk, we will review 2 of these security features (SIP, TCC) and describe how we found vulnerabilities in each of them, while disclosing responsibly and working with Apple to secure their operating system.

Spectre v1 attacks, which exploit conditional branch misprediction, are often identified with attacks that bypass array bounds checking to leak data from a victim program's memory. Perhaps as a result, the Linux kernel attempts to defend itself from Spectre v1 attacks by protecting array accesses.

Generally, however, Spectre v1 attacks can exploit any conditional branch misprediction. This talk will analyze the vulnerability of the Linux kernel to such a new Spectre v1 attack vector, called speculative type confusion, which uses branch misprediction to make the kernel execute with variables holding values of the wrong type and thereby leak memory content.

Our analysis described in the talk finds multiple exploitable and potentially-exploitable speculative type confusion attacks on the Linux kernel. We will demonstrate a full memory disclosure attack, capable of reading all of physical memory, by bypassing Linux eBPF's Spectre mitigations (fixed in June 2021 following a responsible disclosure process). We will show that speculative type confusion can occur as a result of compiler optimizations, which developers cannot control or reason about. We will analyze Linux's approach for reducing retpoline overhead, and show that broadly adopting its approach would lead to many speculative type confusion issues, due to speculatively executing a valid but wrong target of an indirect branch. Finally, we will show that existing Spectre mitigations capable of defeating speculative type confusion impose unacceptable overheads.

Overall, this talk will show that speculative type confusion is much more insidious than array bounds check bypasses, and makes it hard if not impossible for developers to reason about code and apply Spectre mitigations. Consequently, Spectre mitigations needs to be rethought, and more hardware support seems to be required to efficiently block the attacks.

Hypervisors are complex software which may require the reimplementation of legacy stacks. On Microsoft Hyper-V virtual machines (generation 1), some devices are emulated in the userland of its root partition.

To explore this attack surface, a specifically crafted open source toolchain called Hyntrospect has been developed. It aims at helping find vulnerabilities in a pragmatic way: by taking benefits of existing Hyper-V and Windows capabilities and tools to perform coverage-guided fuzzing on Hyper-V closed-source binaries. That approach was inspired by previous experiences with libFuzzer, a publication by Microsoft on their fuzzing campaign, and other research conducted on the topic. The specificity of that tool is to rely on debugging and as a consequence to run in a real environment.

It was also written in the perspective of putting together techniques that could be ported in the future to other Hyper-V root partition’s userland targets.

In this talk, we will review research that I worked on for 6-8 months back in 2019. It's a whole design flaw vulnerability class in the windows UI kernel component (win32k), and 11 CVE's were assigned to my findings. I will also introduce new techniques of triggering these vulns, how they cause UAF in the kernel and how complex it was to research it and gain 100% deterministic code execution.